Cyber-security is about the basics

When you read about nations and sophisticated hacking organizations being responsible for computer hacks, it’s easy to throw up your hands and say how can I possibly prevent such things; but the reality is a lot more nuanced than that. While the Equifax hack was quite sophisticated once the hackers got inside Equifax’s systems, the reality was that the hackers took advantage of a known vulnerability that could have been patched to prevent the hackers from getting inside in the first place. Wannacry is another example that took a patchable vulnerability and the weakest link, users clicking on a link in an email, to cause havoc. Here are four inexpensive and easy things anyone can do to reduce the risk of succumbing to a cyber-security incident.

Train your staff – make sure your staff knows to ask questions about emails, and be suspicious about phone calls. Never go to a website directly from an email. If your bank wants you to do something go directly to the site from your favorites list. See who the email is really from; most email programs allow you to hover over the email address and see if it is really from the person or organization it appears to be from. And make sure everyone understand that it is not offensive to call someone to ask if they really sent you the email before you click on any links in the email. Finally reinforce the training constantly at monthly staff meetings and with new employees.

Patch your software – you should be updating your operating systems and other software as soon as the patches are available, or at least on a regular scheduled that is no longer than a month. The patches don’t cost you any money, so there is simply no excuse for not patching software regularly. If your IT department tells you they need to make sure the patches don’t interfere with the operations of other software, then tell them that is fine, but they must do it fast.

Keep up with access – make sure you delete all access for employees that leave the company. You also need to make sure that access rights are changed when employees job duties change. The most likely hacker isn’t a nation or some rogue operation, but a disgruntled current or former employee. Leaving people with access to systems they no longer need is like giving the robber the keys to your house and telling them when you’ll be away. STUPID!

Check on vendor compliance – Just as you are responsible for internal controls performed by vendors, your business will be held accountable for cyber-security hacks that come through or happen to vendors. The famous Target hack started through a vendor that was completely unrelated to the point- of-sale system that was ultimately hacked. You need to make sure your contracts say vendors are responsible for maintaining your standards for cyber-security and then make sure they are following the contract.

While none of these steps will eliminate cyber-security hacking risk, they are like common sense things we do every day such as locking your car when you go inside a store. The point is not to be invulnerable. The point is to make your business harder to get into so the criminal will go looking for an easier target. The old adage of not having to outrun the bear, just having to outrun the other people in your group applies here. Don’t be the most vulnerable one in the group or the bear will take you down.